2023-07-01 04:14:20 +02:00
|
|
|
#pragma once
|
|
|
|
|
2023-07-01 05:59:27 +02:00
|
|
|
|
|
|
|
/********************************************************************************
|
|
|
|
* Memory management, misc. *
|
|
|
|
********************************************************************************/
|
|
|
|
|
2023-07-01 04:39:52 +02:00
|
|
|
//
|
|
|
|
// Custom allocator for function that allocate pool memory
|
|
|
|
//
|
2023-07-01 04:23:11 +02:00
|
|
|
typedef
|
|
|
|
_IRQL_requires_same_
|
2023-07-01 04:36:59 +02:00
|
|
|
_Function_class_(EVT_DOMITO_ALLOCATE_ROUTINE)
|
2023-07-01 04:23:11 +02:00
|
|
|
__drv_allocatesMem(Mem)
|
|
|
|
PVOID
|
|
|
|
NTAPI
|
2023-07-01 04:36:59 +02:00
|
|
|
EVT_DOMITO_ALLOCATE_ROUTINE(
|
2023-07-01 05:24:04 +02:00
|
|
|
_In_ SIZE_T ByteSize
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|
2023-07-01 04:36:59 +02:00
|
|
|
typedef EVT_DOMITO_ALLOCATE_ROUTINE* PFN_DOMITO_ALLOCATE_ROUTINE;
|
2023-07-01 04:14:20 +02:00
|
|
|
|
|
|
|
|
2023-07-01 05:59:27 +02:00
|
|
|
/********************************************************************************
|
|
|
|
* Cryptography *
|
|
|
|
********************************************************************************/
|
|
|
|
|
|
|
|
//
|
|
|
|
// This structure encapsulates a signature used in verifying executable files.
|
|
|
|
//
|
|
|
|
#if !defined(WIN_CERTIFICATE)
|
|
|
|
typedef struct _WIN_CERTIFICATE {
|
|
|
|
DWORD dwLength;
|
|
|
|
WORD wRevision;
|
|
|
|
WORD wCertificateType;
|
|
|
|
BYTE bCertificate[ANYSIZE_ARRAY];
|
|
|
|
} WIN_CERTIFICATE, *LPWIN_CERTIFICATE;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
//
|
|
|
|
// UM definitions of WinCrypt.h
|
|
|
|
//
|
|
|
|
|
|
|
|
#if !defined(WIN_CERT_TYPE_X509)
|
|
|
|
#define WIN_CERT_TYPE_X509 (0x0001) // The bCertificate member contains an X.509 certificate.
|
|
|
|
#endif
|
|
|
|
#if !defined(WIN_CERT_TYPE_PKCS_SIGNED_DATA)
|
|
|
|
#define WIN_CERT_TYPE_PKCS_SIGNED_DATA (0x0002) // The bCertificate member contains a PKCS SignedData structure.
|
|
|
|
#endif
|
|
|
|
#if !defined(WIN_CERT_TYPE_PKCS1_SIGN)
|
|
|
|
#define WIN_CERT_TYPE_PKCS1_SIGN (0x0009) // The bCertificate member contains PKCS1_MODULE_SIGN fields.
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if !defined(CALG_SHA1)
|
|
|
|
#define CALG_SHA1 0x8004u
|
|
|
|
#endif
|
|
|
|
#if !defined(CALG_SHA256)
|
|
|
|
#define CALG_SHA256 0x800cu
|
|
|
|
#endif
|
|
|
|
#if !defined(CALG_SHA384)
|
|
|
|
#define CALG_SHA384 0x800du
|
|
|
|
#endif
|
|
|
|
#if !defined(CALG_SHA512)
|
|
|
|
#define CALG_SHA512 0x800eu
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
|
/********************************************************************************
|
|
|
|
* Library functions *
|
|
|
|
********************************************************************************/
|
|
|
|
|
2023-07-01 04:36:59 +02:00
|
|
|
//
|
|
|
|
// Finds the base address of a driver module
|
|
|
|
//
|
2023-07-01 04:14:20 +02:00
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
_Must_inspect_result_
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
EXTERN_C
|
|
|
|
NTSTATUS
|
2023-07-01 05:33:35 +02:00
|
|
|
DomitoFindModuleBaseAddress(
|
2023-07-01 05:24:04 +02:00
|
|
|
_In_ STRING ModuleName,
|
|
|
|
_In_ PFN_DOMITO_ALLOCATE_ROUTINE Allocator,
|
|
|
|
_Inout_opt_ PVOID * ModuleBase
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|
|
|
|
|
2023-07-01 04:36:59 +02:00
|
|
|
//
|
|
|
|
// Finds the address of an exported function by name
|
|
|
|
//
|
2023-07-01 04:14:20 +02:00
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
_Must_inspect_result_
|
|
|
|
_IRQL_requires_max_(PASSIVE_LEVEL)
|
|
|
|
EXTERN_C
|
|
|
|
NTSTATUS
|
|
|
|
DomitoFindExportedFunctionAddress(
|
2023-07-01 05:24:04 +02:00
|
|
|
_In_ PVOID ModuleBase,
|
|
|
|
_In_ STRING FunctionName,
|
|
|
|
_Inout_opt_ PVOID * FunctionAddress
|
|
|
|
);
|
|
|
|
|
|
|
|
//
|
|
|
|
// Scans a provided buffer for a memory pattern
|
|
|
|
//
|
|
|
|
_Success_(return == STATUS_SUCCESS)
|
|
|
|
_Must_inspect_result_
|
|
|
|
_IRQL_requires_max_(DISPATCH_LEVEL)
|
|
|
|
NTSTATUS
|
|
|
|
DomitoMemorySearchPattern(
|
|
|
|
_In_ PCUCHAR pcPattern,
|
|
|
|
_In_ UCHAR uWildcard,
|
|
|
|
_In_ SIZE_T puLen,
|
|
|
|
_In_ PVOID pcBase,
|
|
|
|
_In_ SIZE_T puSize,
|
2023-07-01 05:24:47 +02:00
|
|
|
_Outptr_result_maybenull_ PVOID * ppMatch
|
2023-07-01 04:14:20 +02:00
|
|
|
);
|